Ensuring absence of members (services and targets) that do not exist may
not fail as they are not members for servicedelegationtarget and
servicedelegationrule.
servicedelegation_normalize_principals in ansible_freeipa_module has
been extended with a check_exists argument that defaults to False. state
== "present" is now given as this argument to turn on the element exists
check only if elements should be added.
The script now fixes the references for all doc_fragments in the
plugins/doc_fragments folder. So far it was only fixing the references
for ipamodule_base_docs.
PR #762 (automount location: add support for delete_continue) added an
other doc_fragment and the references have not been fixes as needed.
There is a new servicedelegationrule management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationrule.py
The servicedelegationrule module allows to ensure presence and absence of
servicedelegationrules and servicedelegationrule members.
Here is the documentation of the module:
README-servicedelegationrule.md
New example playbooks have been added:
playbooks/servicedelegationrule/servicedelegationrule-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-present.yml
New tests for the module:
tests/servicedelegationrule/test_servicedelegationrule.yml
tests/servicedelegationrule/test_servicedelegationrule_client_context.yml
tests/servicedelegationrule/test_servicedelegationrule_hostprincipal.yml
There is a new servicedelegationtarget management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationtarget.py
The servicedelegationtarget module allows to ensure presence and absence of
servicedelegationtargets and servicedelegationtarget members.
Here is the documentation of the module:
README-servicedelegationtarget.md
New example playbooks have been added:
playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml
playbooks/servicedelegationtarget/servicedelegationtarget-present.yml
New tests for the module:
tests/servicedelegationtarget/test_servicedelegationtarget.yml
tests/servicedelegationtarget/test_servicedelegationtarget_client_context.yml
tests/servicedelegationtarget/test_servicedelegationtarget_hostprincipal.yml
This function will be used in servicedelegation target and rule modules
to normalize principals given in the tasks. These can be service and host
principals and also aliases.
Note: The use of host principals requires IPA 4.9.0 or later. fail_json
is called if the version is lower.
servicedelegation_normalize_principals contains two embedded fuctions.
One is normalize_principal_name that has been copied from
ipaserver/plugins/servicedelegation.py, the other is the generic
function _check_exists to be able to check if a host or service exists.
Similar to PR 286
This PR explicitly sets `no_log` option for `update_password` attribute to `False`, so that the warning on `no_log` not being set is not issued anymore. Ansible incorrectly issued the warning, as `update_password` does not carry sensitive information.
The service hostname needs to be gathered from ansibe_facts as it might
not be "ipaserver". ansible_facts['fqdn'] is now used as the service
hostname, therefore gather_facts had to be turned on.
When ensuring states 'undeleted', 'enabled', 'disabled', and 'unlocked'
the error messages for an unexistent user were not consistent.
This change changes the message for all states to "No user '%s'."
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
As of verison 1.6.1 of ansible-freeipa, ipadnsconfig supports
'action: member' to manage DNS forwardes, and requires the use of this
action if 'state: present'.
This patch fixes the playbook examples.
The services returned by group_find are of type
ipapython.kerberos.Principal. Addtionally the services are case
insensitive. Therefore services need to be converted to a lowercase
sting for proper comparison.
test_group.yml has been extended with service tests.
Upstream tests were not testing one path of code related to variable
`deny_sudocmdgroup`, and a regression was added.
This patch fixes a call to the current configuration dictionary, and
add tests so that the code path is executed in the upstream tests.
The client context on server test is failing with a date that is
expired. The server context on server test is not failing.
Setting an expired date with the command line is possible though.
This patch adds support for 'action: member' for ipadnsconfig plugin,
impacting management of DNS forwarders setting.
Use of 'state: absent' now requires 'action: member'. With 'state:
present', orwarders can be either defined through 'action: dnsconfig'
or added using 'action: member'.
Tests have been updated to reflec the new behavior.
If one tries to set a list of forwarders which include an already
existing forwarder, the existing forwarder is removed, and the list
of configured forwarders contain only the new ones.
This patch fixes this behavior by setting a union of the currently
available forwarders and the list of forwarders provided in the
playbook.
Tests were added to ensure this behavior.
The host members of ipahostgroup need to be lowercase and FQDN to be
able to do a proper comparison with exising hosts in the hostgroup.
Fixes: #666 (ipahostgroup not idempotent and with error)
Due to a change in Ansible to depend on Python 3.8 it is needed to only
use bindings that are provided by Python and Ansible core. gssapi is
therefore not usable any more.
The kinit_keytab function was using gssapi and now has to use the kinit
command insead.
The main REAADME has been fixed to contain information about the
automount key and map modules, the reference to the hbacsvcgroup README
has been fixed and a new test has been added as a github workflow.
